Certificate Chain Checker
Analyze PEM bundles, likely order, and hostname fit before you debug trust-store issues
The checker reads PEM certificates, maps issuer and subject relationships, highlights likely leaf and root positions, and optionally compares a hostname against the likely leaf SAN list. It is designed for structural debugging, not public-trust validation.
- Paste the leaf certificate and any intermediates as PEM blocks.
- Add a hostname when you want SAN or common-name guidance for the likely leaf.
- Click Analyze chain and read the recommended leaf-to-root order first.
- Use the warning list to spot missing issuers, duplicates, or unusual self-signed leaf material.
This page does not check revocation, fetch intermediates, consult a browser trust store, or guarantee that a public browser would accept the chain. It tells you whether the pasted bundle looks structurally coherent and whether the leaf hostname claim appears to line up.
Can this tell me whether Chrome or Safari will trust the chain?
No. This page does not load a platform trust store or perform full path validation.
Why does a hostname mismatch still show a parsed chain?
Because hostname matching is a warning on top of structural analysis. The certificates can still parse and order correctly while the leaf names do not fit your requested host.
Does the order of PEM blocks matter?
Many servers expect a leaf-to-root style bundle. This page calls out when the pasted sequence looks out of order.